Hermes Messaging Service domain separation

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hermes Messaging Service domain separation

    The Hermes Messaging Service supports domain separation, allowing you to logically separate data, processes, and administrative tasks into distinct domains. This separation controls user access and visibility to data, ensuring that information is properly segmented across multiple tenants within your ServiceNow instance. Domain separation is essential for service providers who manage communications with tenant customers, ensuring appropriate data sharing and isolation.

    Show full answer Show less

    Key Features

    • Runtime Domain Separation: The service enforces domain separation during runtime, affecting the user interface, cache keys, reporting, rollups, and aggregations to maintain data isolation.
    • Namespace Configuration: Domains are assigned to Kafka topics through namespaces, which are managed by users with the kafkanamespaceadmin role. This setup controls which domains can access specific Kafka topics.
    • Domain-Separated Tables: Both the Kafka Topics (syskafkatopic) and Kafka Namespaces (syskafkanamespace) tables are domain-separated and protected by domain separation rules and access control lists (ACLs).
    • Global Domain Handling: Topics created within the Default Namespace belong to the global domain, accessible as per global domain rules.
    • Required Plugin: Domain separation features require the Domain Support - Domain Extensions Installer plugin (com.glide.domain.mspextensions.installer).

    Practical Application

    For service providers using Hermes Messaging Service, domain separation enables secure and organized communication with tenant customers. For example, when a service provider responds to a tenant customer's chat message, domain separation ensures that the customer can only see responses relevant to their domain, maintaining privacy and data integrity.

    Administrators are responsible for configuring namespaces, assigning them to domains, and managing access through roles and ACLs to uphold these separations effectively.

    Domain separation is supported for the Hermes Messaging Service. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Overview of Hermes Messaging Service domain separation

    On a domain-separated instance, you can use namespaces to configure which domains can access specific topics in the Hermes Kafka cluster. You assign topics to ServiceNow domains using the topic record's namespace.

    How domain separation works with the Hermes Messaging Service

    On a domain-separated instance, a user with the kafka_namespace_admin role can assign namespaces to specific ServiceNow domains. When the Kafka namespace admin assigns a namespace to a particular domain, all the topics created in that namespace will have the same domain. Users can only see and interact with the topics and namespaces they have access to, based on domain visibility and access control lists (ACLs). Topics created with the Default Namespace are created in the global domain.

    Both the Kafka Topics [sys_kafka_topic] table and the Kafka Namespaces [sys_kafka_namespace] table are domain-separated tables. Domain separation rules filter which records are available in each domain. In addition to being domain-separated, these tables can also be protected with ACLs, just like any other table.

    All domain support features require the Domain Support - Domain Extensions Installer (com.glide.domain.msp_extensions.installer) plugin.